Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1160
Views
0
Helpful
8
Replies

ASA5510 adnd L2L tunnel in L2L tunnel

Oleg Volkov
Spotlight
Spotlight

‎08-09-2012 02:36 AM

Dear Sirs!

I need to create a VPN between two networks. But the traffic is coming from the ASA  number 1 to ASA number 2 must to go through the server BSD.

I think, I will create a tunnel from each ASA to BSD, and over this tunnel another tunnel betwin two ASA.

In the router, I can make a Tunnel interface, and crypto map at this interface.

and route from one ASA to another ASA through Tunnel interface.

(I will get IPSec tunnel in GRE tunnel).

In this example, I have IP address on Tunnel interfaces as IPSec peers

But how to do it on the ASA (ASA do not support tunnel interface)?

Thanks!

tunnelintunnel.jpg

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
Labels:
0 Helpful
8 Replies 8

Karsten Iwen
VIP
VIP

‎08-09-2012 03:07 AM

These kind of configuration can't be done with the ASA. But why do you want to do that? Perhaps there is a better solution for your needs.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Oleg Volkov
Spotlight
Spotlight
In response to Karsten Iwen

‎08-09-2012 04:00 AM

I need tunnel between two ASA, but traffic must to go through the server BSD. My client, whant monitoring encrypted traffic at BSD server (I do not understand what, but client want :-) )

May be, I can resolve it only by routing?

Can I route packet from ASA №1 to ASA №2 through BSD server who do not place in same betwork segment with ASA?

I think, I can not do it.

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
0 Helpful

Karsten Iwen
VIP
VIP
In response to Oleg Volkov

‎08-09-2012 04:04 AM

You can solve it with routing if every router between the ASA and the BSD-Box is aware of this routing-path.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Oleg Volkov
Spotlight
Spotlight
In response to Karsten Iwen

‎08-09-2012 05:11 AM

BSD placed in other city, and connected to Internet.

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
0 Helpful

Karsten Iwen
VIP
VIP
In response to Oleg Volkov

‎08-09-2012 05:22 AM

Then you need an additional router in front of the ASA that builds a second tunnel to the BSD-box.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Oleg Volkov
Spotlight
Spotlight
In response to Karsten Iwen

‎08-09-2012 06:35 AM

It is true, but I try to find other method :-)

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
0 Helpful

Oleg Volkov
Spotlight
Spotlight
In response to Oleg Volkov

‎08-09-2012 11:28 AM

Dea Sirs!

If I will be use router in front of the ASA and will be use GRE tunnel without protection, what router You recommended?

I look at Cisco 880,890 or Cisco 1841.

If I will be use only GRE tunnels on this router, what throughput I get?

Thanks!

--------------------------------------------------------------------------

Helping seriously ill children, all together. All information about this, is posted on my blog
0 Helpful

Karsten Iwen
VIP
VIP
In response to Oleg Volkov

‎08-09-2012 01:56 PM

Which throughput do you want to achieve? The 890 (ISR G2) is faster them a 1841 (ISR G1). The 880 is the slowest from your list (about half the speed of the 890). For the 890 I would assume a usable throughput of about 50 to 80 MBit/s without any additional services.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents